Foxit Critical Zero Day RCE Vulnerabilities

Foxit reader is prone to two remote code execution zero day vulnerabilities, which are found by Steven Seeley (mr_me) and Ariele Caltabiano (kimiya). Both vulnerabilities are due to the lack of proper validation of user-supplied data, which can lead to writing arbitrary files into attacker controlled locations and also launching of any executable files. User interaction is required for the exploitation of these flaws. The attacker needs to send a specially crafted PDF file to a Foxit user and enticing them to open it. These flaws can be triggered through JavaScript APIs in Foxit Reader when Safe Reading Mode is disabled.

The first vulnerability, CVE-2017-10951 is a command injection remote code execution vulnerability. This flaw is related to ‘app.launchURL‘ method. It doesn’t filter any file extensions and hence lead to launching of executable files. Also, it does not check arguments properly. It wont check whether or not the argument is an actual URL. In fact, it accepts full paths.

The second vulnerability, CVE-2017-10952 is Arbitrary File Write remote code execution vulnerability. This flaw is related to ‘saveAs‘ method. This API is supposed to be used to save the document (PDF file format) to certain paths. It does not properly check the path it is given to write to and it also does not check the file extension.

CVE 10951 Demonstration Video:

The vulnerability in the ‘app.launchURL’ a method is exploited as shown below in the video. A javascript embedded document (10951.pdf) is opened in Foxit Reader application. The pdf contains a javascript action which calls app.launchURL method with the user supplied data. Here the attacker launches a calculator executable file (calc.exe).

Here the vulnerability is getting exploited exploited with a javascript action which calls app.launchURL configured on document open like:

The vulnerability in the ‘this.saveAs’ a method is exploited as shown below in the video. Here an HTA file is embedded in the document(10952.pdf), then calling ‘saveAS ‘to write it to the startup folder. Then the javascript embedded (10952.pdf) is opened in Foxit Reader application, which saves the HTA file(si.hta) into the startup folder.

This vulnerability can be exploited with a javascript action to call this.saveAs configured on document open like:

Thus an HTA file is saved into the Startup folder of the system as shown below.

Impact

The vulnerabilities allow attackers to execute arbitrary code on vulnerable installations of Foxit Reader. The attacker must entice a user to visit a malicious page or open a malicious file. And it can also lead to writing arbitrary files into attacker controlled locations.

Fix
An attacker has to bypass Safe Reading Mode to trigger the above-mentioned vulnerabilities. The vendor decided not to fix the vulnerabilities due to the fact that it preferred to rely on the software’s “Safe Reading” mode for protection. Foxit said: “Enabled by default to control the running of JavaScript, which can effectively guard against potential vulnerabilities from unauthorized JavaScript actions“. User’s of Foxit Reader should ensure they have safe reading mode enabled in their setup. And they can also deselect ‘Enable JavaScript Actions‘ from Foxit’s preferences menu.

SecPod Saner detects these vulnerabilities and automatically fixes it by applying security updates. Download Saner now and keep your systems updated and secure.